
1 he data went down the drain 



Can something be learned from the 

Lichtenstein tax affair? 


Presenter: Dror-John Roecher 




My Personal Disclaimer 



There are many rumors regarding what 
happened. 

There are many unanswered questions regarding 
what happened. 

For this talk we assume that what is publicly 
known is what acutally happened. 

The ideas & opinions presented are my own and 
do not represent my employers 1 views or opinions. 
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What happened? 
Who was involved? 





The Actors 


Mule: Mr. Kieber Intelligence: BND 




A Bank: LG1 


Legal Prosecution 
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The Stage 




Sells DVD 

► 


Copies data regarding 
trusts/accounts on DVD 



Passes DVD on as 
administrative 
assistance" 


Calls on legal 
prosecution 




▼ 

◄ 

Found trust with LGT 
to evade German 
taxes 




◄ 

Starts tax evasion 
Investigation 


Staatsanwaltschaftj l 
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Common questions... 



Did the BND break German or Lichtenstein law? 
Did Mr. Kieber break Lichtenstein law? 

Was the action taken by the BND legitimate? 

The answer to all these questions is: I don’t care. 
Whether or not the players acted within legal 
boundaries or not is not relevant: 

Incidents don’t care about “legality” 

Incidents don’t care about “legitimacy” 
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Chronology ( [1], 



■ JM 

[2], [4], [5] ) 

silo* 



— ► 


02/14 02/15 02/16 02/18 02/20 02/23 02/24 02/26 02/29 03/11 


The Data went down the drain - Troopers 08 


9 




Looks like a really „bad guy“ [5] 




Si cher. Ihre Landespolizei 

NEW: 


Pressemitteilungen 

Ratgeber 

Neuigkeiten 

Archiv 

Fahndungen 

DAS SIND WIR 

POLIZEIBERUF 

PREVENTION 

DOWNLOADS 

LINKS 

ADRESSEN 



News > Pressem|tteilun 


Pressemitteilungen 


Offentliche Fahndung nach Heinrich KIEBER 



11.03.2008- 


KIEBER wird dringend verdachtigt, zum Nachteil einer LiechtensteinerTreuhandfirma 
Kundendaten ausgekuniischaftet, sich verschafft und auslandischen Behdrden 
preisgegetiBJ^^ha^HKIEBERy^Uip Medienberichten vom Deutscheri 
Bup^^iiaa (BNDj^^^^r neuer^Lentitat und neuen 

Rel^Bku^^^K^BstattsI A be in. 


nststelle zu 


Es wir 

Lande^^^Hdes^ 

melden.^P^n KIEBER besteht ein iiL__w yfeM| 
festzunehmen ist. Die liechtensteinischen Su®erfol| 
unverzuglich die Auslieferung von KIEBER begehren 1 


STECKBRIEF 


Personendaten 


Name: Heinrich KIEBER 
Geschlecht: mannlich 
Gebiirtsdatum: 30.03.1 965 
STaaTsamjelioihjkerT Liechtenstein 

Personenbeschreibung 
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Mr. Kieber’s 


According to [3]: 

Money 

Help stopping 

Tax evasion 
Corruption 
Money laundering 


The Data 




J 5TEUER-SKANDAL: Die Spur des Denunzianten - Steuerfahndung - FOCUS Online - 


Date! Bearbeiten Ansicht Chronik Lesezeichen Extras Hilfe 



T l 




I® 

\M 

ft 

§ http : //wm . focus . de/f inanzen/steuern 

1 AkJtuelle Nachrichten 

1 Journal of Security 

... | l Rational Survivability | XING 


^ 


Seine Mail liest sich wie eine Anklage gegen das 
Furstentum. Es gehe ihm nicht nur um Geld, behauptet 
der Autor. Er wolle die Korruption im Zwergstaat 
beenden, ebenso ^Geldwasche 1 ’'' und 
,,Steuerhinterziehung u . 

Die erste Kostprobe erweist sich als Volltreffer. Der 
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Mr. Kieber’s history... [6], [7], [8] 




1997 International warrant against Mr. Kieber for a CHF 
600.000 check-fraud in Spain. 

04/2001 - 01/2003 LGT employee: tasked with the 
digitalization of paper-based account data. 

2003 attempted extortion against Lichtenstein (tried to get 
2 fake passports in order to escape the international 
warrant). 

2003: Turned himself in to Lichtenstein criminal 
prosecution. 
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Mr. Kieber’s history... [6], [7], [8] 



2004: Pleaded guilty at trial, promised to return all 
stolen (LGT) data, was sentenced to 1 year prison 
(3 years according to some sources). 

10/2004: Spanish International warrant canceled. 

11/2005: Procedures in Spain discontinued. 

01/2006: First Email to BND offering data... 
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More questions... 



If Mr. Kieber worked at LGT from 2001-2003, how 
come the BND claims to have data up to 2005? 

Was/is there an other informant? 

Who leaked Mr. Kieber’s name and why? 

The answer to all these questions is: I don’t care - 
for the scope of this talk, these questions are not 
relevant: The data was disclosed, regardless of 
personal history / political motives. 
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The InfoSec Incident 


Data Leakage / Data Loss 



What happened in Lichtenstein is a case of 

Data Leakage / Data Loss 
This can happen (and it does) in many different ways: 

Accidentally 

Loss of data medium (USB-stick, etc.) 

Unintended disclosure (via email, mail to wrong recipient, etc) 

Deliberately 

“Business breaks security” approach 
Thief / Hacker steals data / laptop / USB-stick 
Insider steals data / laptop / USB-stick / printer-output 
Dumpster diving 

Data Loss / Data Leakage can be a worst case scenario (think 
stolen identities, credit cards, r&d data ...) 


The Data went down the drain - Troopers 08 


17 




An incident usually 


A worst-case incident 
usually happens, when... 


Risk is not properly 
controlled 

AND 

A couple of minor defects 
coincide 


The Data went down 


)pens... 




At 2:17 A.M,, the TJ tariff's stern rose out of the water, reaching a near 
vertical position before the great ship disappeared under the sea. From the 
lifeboatSj passengers heard a hideous noise as all the contents of the ship 
crashed forward. Several survivors reported seeing the ship begin to break 
apart. 
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“Minor” defects w/ respect to 
Lichtenstein 



HR of LGT failed to check or failed to be alarmed by 
Kiebers’ background, even tough he was hired to digitalize 
sensitive data. 

“System” to digitalize data did not prevent copying of data 
(whereas system pertains the whole setup, including 
organizational controls, physical security, monitoring, etc.). 

At the 2004 trial, LGT failed to assure the complete return 
of all data (how that could have been accomplished - I 
don’t know). 
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CISOs’ / Risk Managers’ Approach to the 

Lichtenstein Affair 



Definitions: Threat, Risk & 
Vulnerabilities 



Threats: Possible events with a 
negative impact. (E.g. “sensitive 
data is disclosed”). 

Vulnerabilities: Circumstances 
which abet the “happening” of 
incidents. (E.g. “no classification 
of data present” - therefore no 
guideline for “what is classified?”) 

Risk is always the risk associated 
with a threat and which is 
mitigated by controls. 


Calculated risk and pyhsical control 



• Threat: Trap is triggered, Impact: Death 

• Vulnerability: Mouse is susceptible to 
cheese 

• Mitigating Control: Helmet (physical 
control, reducing impact to headache) 

• Risk: Probability x Impact (see next 
slide) 
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Simple Risk Formula 



Risk(Threat) = Probability * Impact 

How do controls come into place? Controls act 
either on the probability or on the impact... 

Risk = (P - ControISp ) * (I - Controls, ) 
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Mitigating Controls 



Controls can be grouped 
into: 


Managerial Controls 
Operational Controls 
Technical Controls 


Risk Control Strategy 





-Q 

(0 

-Q 

O 

Q. 



Accept Risk 


Share or 
Transfer Risk 


Impact 


high 
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Managerial Controls 



Address the design and implementation of the 
security planning process and security 
management 

Management controls also address: 

Risk management 
Security control reviews 
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Operational Controls 



Operational controls are those for operations and 
activities in such a way that they are conducted 
under specified conditions. 

Operational controls may be documented through 
the use of work instructions, operational 
procedures or manuals. 
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Operational Controls 



They include: 

Documentation 

Configuration and change management 

Incident response planning 

Disaster recovery planning 

Software development and test environment 

Outsourced facilities 

Personnel security 

Physical security 
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Technical Controls 



Address technical issues related to designing and 
implementing security in the organization 

Technologies necessary to protect assets are 
examined and selected 

They include 

Identification and authentication 

Access control 

Audit and accountability 
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Controls with regard to Data Leakage 



Threat: Deliberate Data Leakage 


Least Feasible 

Memorizing data: writing it down at home 
Manual notes: taken home/emailed home 

Somewhat Feasible 

Paper copied: taken home - then digitized 

Photographs: taken home on DigiCam 

Screenshots: printed & taken home/emailed 
home 

Most Feasible 

Data attached to Email: then mailed home 
Data copied: to USB/CD/DVD, taken home 



Most work 

Least likely 

A 


Least work 
Most likely 
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Managerial Controls 



Perform Risk Analysis to identify and mitigate the 
risks. Forms the basis of all other controls. 


Impact rating * Probabilil 

ty rating = 

Risk Level 













Impact Rating Ranges 

* 

Probability 

Ranges 


High 

10 

-7 




10 

-7 
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Operational Controls 



Policies: 

No Email from “data digitizing” system (“prohibited use policy”) 
Limitation of USB devices (“prohibited use policy”) 

No camera/mobile phone on premises (“prohibited use policy”) 

HR 

Thorough background-screening of employees 

IT-Operations 

No CD-RW on “data digitizing” system ( “minimal machine”) 

No copier accessible for data-digitizing personnel or in data- 
digitizing-premises (“least privilege”) 
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Technical Controls 



General Policy Enforcement 

No USB support in “data digitizing” system: Easy to disable USB, 
mature “device control products” available. 

No Email from “data digitizing” system (policy enforcement): Easy, 
no additional products needed. Simple case of suppressing 
connectivity / can be handled at the network layer. 

Targeted Technical Controls 

Data Leak/Data Loss Prevention System (DLP): a new technology 
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Technical Data Loss / Data Leak Prevention 




Security hype cycle 



Figure 1. Hype Cycle for Information Security. 2007 


visibility 

Static Application 

Testi ng ' 

se f\c ~\ vn 
Content Monitoring and Filtering 
andData Loss D reventic 

Portable Secure Devices - 
Network Behavior Analysis ■ 
Application Hardening 
and Shielding ' 

i 

Authorization Management i 


E-Mail Authentication Standards i 


■Fraud Detection 

■ Role Management for Enterprises 


Network: Access Control (TP) 
► Application Security Testing 


Model-Driven Security 


E-Mail Encryption 
Anti-phishing 
Dyr lamic 
Application 
Security Testing 

Trusted Computing 
Platform 

Endpoint Protection 
Platform 

Database Encryption - 1 
HIPS on PCs— * 
S-SL Peer-to-Peer, Site-to-Site 
Virtual Private Networks 


Biometric Technologies 
" for User Authentication 

Vulnerability Management — 
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SSL Remote-Access VPNs “I 

Enterprise Single Sign-On 
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Spam Filtering 
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Managed Security Service Providers 
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Web Services Security Standards 
WPA2 Enterprise Security 
— SIEM 

— Public-Key Operations 
— Next-Generation Firewalls 

— Lightweight Gne-Time-Password Authentication Methods 
■- Instant Messaging Security As of September 2007 


Technology 

Trigger 


Peak of 
Inflated 
Expectations 


Trough of 

Disillusionment 


Slope of Enlightenment 


Plateau of 

Productivity 


time 


~W 


Years to mainstream adoption: 

O less than 2 years O 2 to 5 years 

Source: Gartner (September 2007) 


obsolete 

5 to 1 0 years A more than 10 years ® before plateau 
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DLP vs Digital Rights Management 
(DRM) 



DLP is basically a spin-off of DRM. 

The “music industry” wanted to protect music from 
illegal copying and developed DRM which enables 
the provider to define rights regarding copying, 
playing, converting, etc... 


Example: Microsoft Zune Player DRM [9] 
DLP is “just a flavor” of automatic DRM. 
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Definition of DLP [10] 



“Products that, based on central policies, identify, 
monitor, and protect data at rest, in motion, and in 
use, through deep content analysis.” 


r pdf 


Key concepts: aX 

Central Policy ^ 

Deep analysis 

Broad coverage across platforms 
Protect data in motion & at rest & in use 
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Central Policy / Data Classification 



Creation, Management and Workflow for the 
definition of the policy: 

Needs data classification scheme and associated 
actions: 


Eingang (4) 


4 von (4) » 


Aktion wahlen ... 

I"" ! ® Von 

[7 10 Qi Dror-John.Roecher@CO. . . Re: Customer XYZ 


16,77 MB belegt ( 


[HNeue E-Mail ] £nt wo rt en] M en ^worten^^-Weiterleitien Jj§) Loach en] C^Suchen | ^Q ptio ne n ] y Hilfe ] 

Ordner wahlen ... Zl OK ] 

Betreff Erhalten KB 

Di, 08. Apr 2008 (15:08) IS kB 


This email is confidential. If you are not the intended recipient, you must not disclose or use the information 
contained in it, If you have received this mail in error, please tell us immediately by return email and delete the 
document. 
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Deep Analysis 



Deep Analysis means: 

Look at the Content and Context of the analyzed data: 


Content: The actual content of the data 

Context: Context in which the data is used (source, destination, 
time/date, meta-data, etc.) 


Content-Analysis is focus for DLP. 
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Content Analysis Techniques [10] 



Rule-Based/Regular Expression (look for an expression) 

Database Fingerprinting / Exact Data Matching (e.g. look for specific CC- 
Number) 

Exact File Matching (look for a specific file via “hashes”) 

Partial Document Matching (look for specific parts of a document) 
Statistical Analysis 

Categories (prebuilt categories with rules & dictionaries for specific types 
of sensitive data - e.g. HIPAA, PCI). 

Manual Classification by originator 
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Manual Classification Example 



File 


_j New... 
Open... 
Close 


Edit View Insert Format Tools Table Window Help 

/ ■ t t J J i ii - 


d Save 

Save As... 

£ Save as Web Page. 
s a. File Search. . . 


Ctrl+O 


Ctrl+S 


B I U 

— 

m m m - 

i — ^ — -± 

■ — + — 


Options... t 

HTML - 5 J 


Permission 


Versions... 


Web Page Preview 


Page Setup. 


Print Preview 


Print... 


Send To 
Prooerties 


Unrestricted Access 
Do Not Forward 


Ctrl+P 


Microsolj ^ Confidential 

Microsoft'tonfideritial Read Only 
Microsoft FTE Confidential 
Microsoft FTE Confidential Read Only 


Restrict Permission As. . . 
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An example for „manual classification" 
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Fingerprinting & Detection 


Fingerprinting 



Database 
Record or 
Document 


Detection 



(E-mail, Web, Fax, Print, etc.) 



Algorithmic 

Conversion 


(= 


0101110011 

0100110000 

101100 

100100 

1000111 

011 

0110011 

0111101 


Hash 


0xB6751 

0xB61C1 

0X37CB2 

0X5BD41 

0x190C1 

0x93005 

0x590A9 

OxAOOOl 


Fingerprint 
Storage & 
Indexing 


i 



0X59A06 

0x66A1 A 

0x1 678 A 

0x461 BD 

0x6678A 

0x4D181 

0xB678A 

0x9678A 

0xB6751 

0xB61C1 

0X37CB2 

0X5BD41 

0x19001 

0x93005 

0x590A9 

OxAOOOl 



0101110011 

0100110000 

101100 

100100 



0x5BD41 

0x19001 

0x93005 


Real-Time 

Fingerprint 

Comparison 


Algorithmic 

Conversion 


Hash 


Fingerprint 

Creation 
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Detection Accuracy 


Analysis Ranking 



Low 


Detection Granularity 



Broad Coverage 



Operating System support (anyone got production data on 
Win98 boxes? Good uck!) 

File type support (the more the better - but the more, the 
more parsers are needed, which might be used to attack 
the solution itself) 

Nested files (embed a spreadsheet in a Word-Document 
and zip it - again a parsing problem) 

At rest, in use & in motion (so obviously an agent on the 
clients is needed - and an inline box in the network-path - 
yet more points of failure) 
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Classification-based 
rights management 


Role Based Access 



Classification: “Executive Communications" 



► 


Classification: "Company Announcements” 





HR Director 


/ \ 



All Employees 
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A critical view on DLP 


Some critical thoughts on DLP 



Not yet mature - lots of false positives (think of early-days 
Intrusion Detection Systems) 

Yet another agent with high privileges and a parsing- 
engine: susceptible to attack resulting in system 
compromise 

Added complexity - contradicts “Keep It Simple” paradigm 
of InfoSec 

One more log-source: Incident Management, Monitoring 
adversely affected 
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More critical thoughts on DLP 




One more Helpdesk-Problem: “I can’t mail that file!” 

Doesn’t address the problem - it is just a fix to the 
symptoms (thinking of ‘nappies’ when hearing ‘leakage’?) 

Needs working data classification - if classification already 
works, why do you need leak prevention? 

How is encrypted traffic handled? With key escrow? (not 
again!) 
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Could the Lichtenstein Data Leak 

have been prevented? 




Lichtenstein may have been preventable with a working 
DLP under the following circumstances: 

When digitizing the paper, the files are DLP-treated before they are 
written to disk - which means it needs to integrate into the 
scanning-application, or run in kernel-space to intercept file-create- 
operations. 

The DLP policy applies “copy/mail prevention” per default to the 
newly created files (maybe based on context, rather then content). 

The DLP rights don’t collide with the access-control of the 
Document Management System (DMS) which is used to store the 
digitized data. 

The DLP is able to enforce the protection within the used DMS. 
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Prevention with Classical Controls 



Policies would not have worked because the offender was 
a criminal - criminals don’t care about policies (policies are 
useful in other ways) 

Disabling USB support on the machine would have 
stopped the easy way of copying 

Disabling Email support on the machine would have 
stopped the easy way of copying 

Access Control to copiers would have prevented making 
paper-copies 

HR background screening would have prevented the 
offender being employed first hand (thereby eliminating the 
root cause of the leakage) 
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Lessons Learned 


More is less... 



Even though DLP may have been able to prevent 
the Lichtenstein InfoSec incident... 

It does not address the root cause (wrong people hired 
for the job) 

It addresses only some use-cases (what about non- 
digital data? What about encrypted data?) 

It adds another layer of complexity to security operations 

It requires another manageable agent with high 
privileges on the clients 
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Less is more 



Classical Controls would have been better suited, 
because... 

They are able to address the root cause 
They do not add more complexity 
They apply to all data 

They mitigate risk beyond “Data Leakage” threats (e.g. 
USB enforcement also mitigates malware-infection 
threats) 

They are more mature and have a history of being 
manageable 
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Lessons Learned 



Information is a valuable asset - for outsiders too. 

Data Leakage has happened, happens today and will 
happen in the future. 

“Interested parties” are willing to spend $$$ to get 
information. 

“Interested parties” include national intelligence agencies. 
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Lessons Learned - continued 



Offenders do not care about “legal restrictions”. 

Risk analysis can help you to identify where the risks are. 

HR is part of the overall security program - and needs to 
be made aware of that. 

Classical Controls are usually still the better choice to get 
a grip on data leakage. 

Technology (DLP) is not (yet) the answer. 
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Questions? And Answers 



Thank you for listening... 



1 


Dror-John Rocher 


0 

(omputacenter 

1 Services & Solutions 


Mobile: +49 (0) 172 2382946 

E-mail dror-john.roecher@computacenter.com 
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QR-Codes (ISO/I EC 18004) 



All referenced Web-sites are available as QR- 
Codes (visual tags). 

A tag-reader for your mobile devices can be 
downloaded here: 

http://reader.kaywa.com/ 

A tag-reader for your Windows-PC can be 
downloaded here: 

http://www.bctester.de/ 
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